In the February Lion OS X 10.7 update, a debug option was apparently left enabled in FileVault, resulting in users’ passwords being saved in plain text in a log file accessible outside the encrypted areas, David Emery, head of Die Consulting, explained in an email to Cryptome.
“Anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre-Lion) FileVault home directories who have logged in since the upgrade to 10.7.3 in early February 2012”, Emery said.
“This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for”, he added.
Emery explained that users can partially protect themselves by using FileVault2 with full disk encryption.
Commenting on the revelation, Chester Wisniewski, senior security advisor at Sophos, wrote in a Naked Security blog: “Let's hope Apple is able to fix this problem quickly. However, the possibility that the plain text password has been backed up and the difficulty of ensuring both copies and the original plain text password are securely erased means retrieval could still be possible even after the fix is applied. Once Apple users receive and apply the fix, they would be well advised to consider this password compromised, change it and ensure it is not used on any other systems.”